Search:

You are here

WA organisations lose $500,000 to ‘man in the middle scams’

Information status

All announcements issued prior to 1 July 2017 were issued by the former Department of Commerce. Announcements listed here are the latest versions available, but may be subject to review. For more information on this announcement, please contact online@dmirs.wa.gov.au.

Fraudsters posing as CEOs or third-party suppliers have cost Western Australian businesses and not-for-profits at least $500,000 in the last two years, prompting a warning about ‘man in the middle scams’.

Acting Commissioner for Consumer Protection David Hillyard said the fraud works in two equally sophisticated ways.

“The false boss or CEO scam usually hacks a chief executive officer or senior leader’s email account to send a subordinate a request to transfer money to a bank account. The imposter will give a plausible reason and believable account holder name but the account number directs the funds to the offenders or their associates.

“The payment diversion scam involves ‘phishing’ phone calls and emails to find out about who works in the finance area of an organisation and existing arrangements with goods or service providers. The fraudsters pretend to be a third party supplier, often via a fake email invoice, and provide new bank account details for payment of money owed.”

Consumer Protection’s WA ScamNet has recorded at least 10 reports of ‘false boss scams’ since 2015 with a total loss of $47,820.00. Between 2015 and 2016 there have been at least 15 reports of ‘payment diversion scams’ with losses totalling $461,215.00.

In Queensland, Brisbane City Council revealed to the media yesterday that it had lost $450,000 to this type of scam. There have also been numerous attacks elsewhere in Australia and overseas.

Mr Hillyard warned anyone making payments to third parties to be aware of the increased frequency in attempts to intercept money. This was echoed by WA Police Major Fraud Squad.

“Receivers of emails need to be aware that the offenders will use links or attachments containing ‘spyware’ to gather knowledge of personnel, current work or projects and associated suppliers,” Detective Senior Sergeant Steve Potter said.

“To avoid becoming a victim business or organisation, finance areas are advised to ensure processes around money transfers and changing supplier bank account details are robust. Include a step to validate the transaction via previously established contact details; known good phone numbers, email addresses and ideally, speaking with a known individual.”

Warning letters are being sent by the Department of Commerce Director General (DG) to DGs or CEOs at other State and Local Government agencies. The message is also being communicated to businesses, not-for-profits and the wider community as part of a joint communication plan in conjunction with WA Police Major Fraud Squad.